How to manage passwords safely and protect our privacy

Published: January 27, 2021 at 9:55 am

It goes without saying that the protection of online privacy and financial transactions are of utmost importance. This article discusses how we can protect our privacy with strong passwords and how to manage these passwords safely.

About the author: Rajavel is a Computer science Graduate from NIT Trichy. He currently works as a software engineer in a premier Investment bank. He is an avid reader of Freefincal. This time he wanted to give back to the Freefincal community by sharing his knowledge on this subject.

Contents

  • Encryption & Hashing
  • What happens when you sign up/sign in to a website?
  • Unique passwords
  • Strong Passwords
  • Password managers

Disclaimer: I’m not associated with any of the websites/links/password managers mentioned in this article.

Encryption & Hashing

These are two basic concepts that you must understand first, before understanding how passwords work.

Encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext using a key (which is a secret text). 


Let us try with an example using AES-128 bit encryption (which uses a 16 character key, each char is 8 bits, so 16*8 = 128), let us try to encode the message “How are you?” using our secret key “ramaramaramarama”, the resulting ciphertext will look like this “ZGYP4/sparcNYA9WBoF0zA==”. 

Basically, the ciphertext can only be decrypted only if we have the key used for encrypting. 

Hashing is transforming a string of characters into a fixed-length value or key that represents the original string.

The md5 hash of message “Where are you?” is eccd993f47dec88b14a0c982b6948358

So you cannot use hashing to STORE something secret, you cannot retrieve the original message after you hash it. Also, can two sets of data have the same hash values? Yes, but near impossible due to the length of the hash that the modern hashing algorithms produce.

What happens when you sign up/sign in to a website?

When you sign up on a website, a hashing function is used to create a hash of the password you entered, stored on their server – the password itself is discarded. When you log in using your password, the password is sent over the network and hashed on the server using a copy of the same hashing function. The resulting hash is compared to the hash stored on the password server. Only if they match will the user be granted access.

Why are passwords stored as hashes? Because if the website gets hacked someday, only the hashes of passwords will be revealed and not the actual passwords. When data breaches happen these days, the usernames and the corresponding password hashes are sold on the dark web. A lot of precomputed hashes are available on the internet. Basically, for simple passwords like password123, the hashes are well known, so when the hackers see that well-known hash, they can find that your password is password123. But if the website uses salting on passwords before hashing, it becomes trickier to crack your password. More on hashing, how hashes are cracked, salts in hash

But on spooky random websites, where we created logins for the sake of reading articles, playing games etc., we never know how they handle our passwords, they might store our passwords as plain text in their servers. Even if they properly store our passwords hashed, they can still see our password when we signup. Because they ultimately need your password to hash it and store it. In some cases, the password you enter is hashed in your browser and then sent to their servers, but you never know, what changes when we can’t check the source code of every site we use every time. So never believe websites with your passwords.

Okay now let’s assume some random website where you have a login, is compromised, and the hacker managed to find your password. Now it’s easy for him to log in to other websites using the same password or the common variants of it. If your Facebook password was ramaFB123 and was compromised, then ramaTW123 might be a good guess for your Twitter account. There are computer programs that do all this, at speeds of 1 Billion passwords per second. So such variations you create on passwords are not going to protect you. Watch some interesting live-action password cracking here.

Now let’s discuss how websites store our data. We often think all our data is encrypted in the servers behind Google Drive/Gmail/Facebook etc. Yes, all data is encrypted, BUT not with YOUR password as the key, the respective website owns the encryption key. If they had encrypted all your data with your key, even they would not be read your data. Yes, you are right, Google can read your emails.

“So where is my password used then?” Your password is only used to check your login in most cases. After verification, they generally give you some unique browser cookie which will hereafter be used to authenticate you. If all of Google Drive data were compromised one day, nobody would need YOUR password to decrypt YOUR files you stored in Google Drive. But these are privacy issues, which we will not cover in this article.

Unique passwords

What did we understand until now? If your password gets leaked out of some random website, then you are probably in danger. 

The only solution is to have different passwords for every website we use. We all have signed in to 100s of websites, and it’s simply not possible to remember 100s of passwords. Before moving on to how we can handle 100 different passwords, let us discuss strong passwords.

Strong Passwords

Is [email protected] a strong password?  Try this to find out. It’s not strong, spend some time experimenting on the above website, with various passwords you can think of. If you play with such tools for some time, you will figure out that passwords with more length take more time to crack. Also at greater lengths like 15 characters, it does not matter much if you use Upper case, numbers, and symbols or not. So it’s the length that matters the most in passwords, the longer it is, the safer you are.

So let’s settle with long passwords, but it’s tough to remember 15 random characters. So we bring in the passphrase concept. A passphrase looks like this: “clever pants oxygen sharpener”. Its 29 characters long, so it’s solid but straightforward to remember. Let us try to understand how.

Let’s try to find how many different PASSWORDS you can make with 29 characters.

Total available characters = 26(lower) + 26(upper) + 10(numbers) + 30(symbols) = 92

Password length = 29

Total No of passwords possible: 92^29 = 890,936,995,405,850,020,916,615,802,384,990,844,247,276,366,492,831,055,872

Wow! It is impossible to brute-force with this big search space (try all possible combinations) for the hacker. 

So they would try brute-forcing passphrases (basically now they will try to combine words instead of individual characters), it’s not easy as well. 

Let’s try to find how many different combinations you can make with English words for a 4 worded passphrase (like “clever pants oxygen sharpener”)

No of English words available (a simple google search) = 1,71,146

No of Words in our passphrase = 4

Total No of passphrases possible: 1,71,146 ^ 4 = 857,959,946,160,091,395,856.

This is a big enough search space for our password. How much time will it take to crack this? At the rate of 1 Billion password cracking per second. It will take 27,205 years. Still, want a tougher passphrase? Just add one more word, (clever pants oxygen sharpener nuclear). This 5 worded passphrase will take 46 MILLION CENTURIES to crack. You should be happy now!

So a 29 character 4 worded passphrase is almost equally secure as a 29 character random password. Also make sure not to use frequent words, which would make the search space smaller. You can also try some online passphrase generator.

If you introduce numbers, symbols, non-English words in the passphrase, the search space becomes much bigger, which might not be needed. It also adds tension, remembering complex passwords. Don’t bring in combinations like kj7b)*4H anywhere, you will make the search space bigger (which might not be needed), but you might soon forget the password.

So good passphrases are easy to type, easy to remember, easy to write in some secure location, and hard to crack.

Password managers

In the section ‘unique passwords’ we saw that it’s best to have unique passwords for every site we use. After learning about strong passwords we might want to use passphrases for all logins, but still, we cannot remember 100 passphrases.

Password managers come to the rescue, for this article let us assume to use Bitwarden, a famous open-source password manager. 

Bitwarden will store all the passwords/passphrases you use for all websites in its vault. The vault will have a master password, which is the only one you will remember, preferable a strong passphrase. Before we even move on, stop me and ask me: 

“It’s like putting all eggs in one basket, if my master password gets compromised, then all my passwords are compromised. Why would I do this?”

  • It’s not possible to remember 100 different passwords.
  • Even if we use a single ultra-strong password (or variants of the same password) for all the websites, there is a vulnerability that some weak website might get hacked and hackers get your password exposed. Or some spooky website you logged in might leak your password. Also, some creepy websites might still store your password in plaintext in their servers.

“Ok, why Bitwarden can’t be hacked or leak our passwords someday?”

Because it’s not possible for Bitwarden, they do not have our master password stored. All our data is encrypted, and only we have the key (which is our master password). So even Bitwarden cannot open and read our vault. After we login, the encrypted vault is sent to us, and decrypting the vault happens in the client-side (our computer). Also, our master password is never sent directly to the servers. Watch this video to understand how the authentication takes place in password managers.

“How are you so sure that they cannot do fishy stuff?” Bitwarden is open source, meaning anybody can see their source code. They are also frequently audited by third party agencies.  Why should I trust Bitwarden?

“How do they make money then?” They have premium features paid, like family/enterprise options, vault to store files etc. Bitwarden blog answers most of such common questions.

Now let’s add more complexity, in an extreme case, a hacker might guess your master password or install a key logger in your PC (through some malware) and finds your master password. Ok, now we are doomed.

But there is a solution to protect our self from this: using 2-factor authentication for Bitwarden. You can configure applications like google authenticator or Authy (Google authenticator vs Authy) with your Bitwarden account to enable 2-factor authentication. The authenticator app will generate a 6 digit number which changes every 60 seconds. Every time you log in to Bitwarden, you will have to enter the 6 digit authentication code. Even if the hacker knows your master password, he cannot find the authentication codes as they keep changing every minute. I’m not discussing more on 2-factor authentication in detail here, as it’s a vast topic by itself.

Other major features of Bitwarden for example are, they can suggest you random strong passwords when you sign up for websites, they have browser plugins to autofill passwords when you sign in to websites, they also have a mobile app, you can also store other information like identity, credit cards or even secure notes. 

Conclusion

  • Always use a password manager to store all your passwords.
  • Have a strong master password like “clever pants oxygen sharpener.”
  • Enable 2-factor authentication in password manager for more security.

Further reading

Do share if you found this useful

We now publish both equity fund and debt fund (+ hybrid fund) screeners each month!
Use our Robo-advisory Excel Template for a start-to-finish financial plan! Now with a new demo video!  More than 415 investors and advisors use this!
Unlock the secrets of successful financial advisors and entrepreneurs with our new course!
My new book for kids: “Chinchu gets a superpower!” is now available!
Both boy and girl version covers of Chinchu gets a superpower
Both boy and girl version covers of Chinchu gets a superpower.
Most investor problems can be traced to a lack of informed decision making. We have all made bad decisions and money mistakes when we started earning and spent years undoing these mistakes. Why should our children go through the same pain? What is this book about? As parents, if we had to groom one ability in our children that is key not only to money management and investing but for any aspect of life, what would it be? My answer: Sound Decision Making. So in this book, we meet Chinchu, who is about to turn 10. What he wants for his birthday and how his parent’s plan for it and teach him several key ideas of decision making and money management is the narrative. What readers say!
Feedback from a young reader after reading Chinchu gets a Superpower (small version)
Feedback from a young reader after reading Chinchu gets a Superpower!
Must-read book even for adults! This is something that every parent should teach their kids right from their young age. The importance of money management and decision making based on their wants and needs. Very nicely written in simple terms. - Arun.
Buy the book: Chinchu gets a superpower for your child!
How to profit from content writing: Our new ebook for those interested in getting side income via content writing. It is available at a 50% discount for Rs. 500 only!
Did you know? We have more than 1000+ videos on YouTube to explore! Join our YouTube Community!

Join our courses in exclusive Facebook Groups!

  • 550+ members are now part of our new course: How to get people to pay for your skills! (watch 1st lecture for free). Learn how to get people to pay for your skills! Whether you are a professional or small business owner who wants more clients via online visibility or a salaried person wanting a side income or passive income, we will show how to achieve by showcasing your skills and building a community that trusts you and pays you!
  • Goal-based portfolio management! Join 2220+ members and get clarity on how to plan for your goals and achieve the necessary corpus no matter what the market condition is!! Watch the first lecture for free!  One-time payment of Rs. 3000 only. No recurring fees! Life-long access to videos (10+ hours content)  in an exclusive Facebook Group! Reduce fear, uncertainty and doubt while investing! Learn how to plan for your goals before and after retirement with confidence.

Want to check if the market is overvalued or undervalued? Use our market valuation tool (will work with any index!), or you buy the new Tactical Buy/Sell timing tool!
We publish mutual fund screeners and momentum, low volatility stock screeners .every month.
About the Author Pattabiraman editor freefincalM. Pattabiraman(PhD) is the founder, managing editor and primary author of freefincal. He is an associate professor at the Indian Institute of Technology, Madras. since Aug 2006. Connect with him via Twitter or Linkedin Pattabiraman has co-authored two print-books, You can be rich too with goal-based investing (CNBC TV18) and Gamechanger and seven other free e-books on various money management topics. He is a patron and co-founder of “Fee-only India,” an organisation to promote unbiased, commission-free investment advice. He conducts free money management sessions for corporates and associations based on money management. Previous engagements include World Bank, RBI, BHEL, Asian Paints, Cognizant, Madras Atomic Power Station, Honeywell, Tamil Nadu Investors Association, IIST Alumni Association. For speaking engagements, write to pattu [at] freefincal [dot] com
About freefincal & its content policy Freefincal is a News Media Organization dedicated to providing original analysis, reports, reviews and insights on developments in mutual funds, stocks, investing, retirement and personal finance. We do so without conflict of interest and bias. Follow us on Google News. Freefincal serves more than one million readers a year (2.5 million page views) with articles based only on factual information and detailed analysis by its authors. All statements made will be verified from credible and knowledgeable sources before publication. Freefincal does not publish any paid articles, promotions, PR, satire or opinions without data. All opinions presented will only be inferences backed by verifiable, reproducible evidence/data. Contact information: letters {at} freefincal {dot} com (sponsored posts or paid collaborations will not be entertained)
Connect with us on social media
Our publications

You Can Be Rich Too with Goal-Based Investing

You can be rich too with goal based investingPublished by CNBC TV18, this book is meant to help you ask the right questions, seek the correct answers, and since it comes with nine online calculators, you can also create custom solutions for your lifestyle! Get it now. It is also available in Kindle format.
Gamechanger: Forget Startups, Join Corporate & Still Live the Rich Life You Want Gamechanger: Forget Start-ups, Join Corporate and Still Live the Rich Life you wantThis book is meant for young earners to get their basics right from day one! It will also help you travel to exotic places at a low cost! Get it or gift it to a young earner.

Your Ultimate Guide to Travel

Travel-Training-Kit-Cover-new This is an in-depth dive analysis into vacation planning, finding cheap flights, budget accommodation, what to do when travelling, how travelling slowly is better financially and psychologically with links to the web pages and hand-holding at every step. Get the pdf for Rs 199 (instant download)
Free android apps